bolivian-peru/security-hardening
skills/security-hardening/SKILL.md
Continuous security posture assessment. Scores the system, auto-fixes safe issues, proposes fixes for risky ones. Every change audited.
$ install --global
skillsauthnpx skillsauth add bolivian-peru/os-moda security-hardeningInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 20, 2026, 3:00 AM7.7s1 file scanned
SKILL.md
- name:
- security-hardening
- description:
- >
- activation:
- auto
Security Hardening Skill
Continuous security scoring and automated hardening.
Security Scan Checklist
Run these checks and score each one:
Network (30 points)
shell_exec({ command: "ss -tlnp" })
- [ ] No unnecessary ports exposed (+10)
- [ ] PostgreSQL/Redis/etc bound to localhost only (+10)
- [ ] Firewall enabled with explicit allowlist (+10)
SSH (25 points)
shell_exec({ command: "sshd -T 2>/dev/null | grep -E 'passwordauth|permitroot|x11forwarding|maxauthtries'" })
- [ ] Password auth disabled (+10)
- [ ] Root login disabled or key-only (+5)
- [ ] X11 forwarding disabled (+5)
- [ ] MaxAuthTries <= 3 (+5)
Failed auth attempts
journal_logs({ unit: "sshd", since: "7 days ago", priority: "warning" })
shell_exec({ command: "journalctl -u sshd --since '7 days ago' | grep -c 'Failed password'" })
System (25 points)
- [ ] Automatic security updates enabled (+10)
- [ ] No world-writable files in /etc (+5)
- [ ] NixOS generations < 30 (clean system) (+5)
- [ ] No setuid binaries outside expected set (+5)
Audit (20 points)
- [ ] agentd ledger intact (hash chain valid) (+10)
- [ ] All recent changes have audit entries (+10)
Scoring
Calculate: (earned_points / 100) * 100
Present as:
Security Score: 78/100
Auto-fixed (safe, no approval needed):
✅ Enabled fail2ban (NixOS config added)
✅ Set MaxAuthTries to 3
✅ Blocked 5 IPs with repeated failed logins
Needs your approval:
⚠️ Port 5432 exposed publicly — close it? (saves 10 pts)
⚠️ Enable automatic nixpkgs security channel
Won't touch without discussion:
🔴 Root SSH enabled (you may need this for deploys)
Auto-Fix Actions (safe, always do these)
Enable fail2ban
services.fail2ban = {
enable = true;
maxretry = 3;
bantime = "1h";
};
Block brute-force IPs
shell_exec({ command: "journalctl -u sshd --since '24h ago' | grep 'Failed' | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | head -10" })
For IPs with > 10 attempts:
networking.firewall.extraCommands = ''
iptables -A INPUT -s <IP> -j DROP
'';
Close unused ports
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
# Remove any port that doesn't have a matching service
Approval-Required Actions
Present a clear diff and explain the security impact:
- Switching SSH to certificate auth
- Enabling automatic updates
- Changing firewall rules that affect application access
Weekly Report
Generate a trending security report:
Security Report — Week of Feb 17
Score: 78/100 (↑ from 65 last week)
This week:
- Blocked 142 brute-force SSH attempts from 23 IPs
- Applied 2 NixOS security patches (OpenSSH, curl)
- Closed port 3306 (MySQL was accidentally exposed)
- 0 incidents, 0 unauthorized changes
Trend: Improving. Main gap: root SSH still enabled.
Store the report in memory for historical tracking.
Related Skills
bolivian-peru/morning-briefing
testing
VerifiedTrustedCommunity
Generate a concise daily infrastructure briefing. Covers: service health, resource usage, security events, overnight incidents, and cost tracking. Designed for Telegram/chat delivery.
104SKILL.mdUpdated Apr 20, 2026
bolivian-peru/swarm-predict
devops
VerifiedTrustedCommunity
Multi-perspective risk analysis using structured persona debate before deploying changes
96SKILL.mdUpdated Apr 20, 2026
bolivian-peru/spec-driven-development
development
VerifiedTrustedCommunity
Build software via spec-driven development (github/spec-kit). Whenever the user asks for a feature larger than a one-line tweak, scaffold a spec-kit project, capture WHAT + WHY, declare tech stack, break into tasks, then iterate the implementation until tests pass.
88SKILL.mdUpdated May 4, 2026
bolivian-peru/system-packages
development
VerifiedTrustedCommunity
Manage NixOS packages declaratively. Search, install (via configuration.nix rebuild), remove, rollback, and list generations. Understands the NixOS declarative model.
80SKILL.mdUpdated Apr 20, 2026